Data privacy continues to become an important topic for regulators around the world, as more regulations are released each year bolstering rules to ensure greater protections.
For instance, several US states have increased their data protection laws this year, with protecting consumer data a focal point for many. The states to update data privacy laws include New Hampshire, Delaware, Iowa, New Jersey, Minnesota and several others.
But it is not just the US that has increased rules in this space. Late last year, Australia issued the Privacy and Other Legislation Amendment Bill 2024, which is part of a broader revamp of the country’s privacy laws. China recently updated regulations around network data security management, which covers personal information and cross-border data. Malaysia, Peru, India, Japan and Sri Lanka are among the others to also have data protection rules updates in the works.
Aligning with data protection rules is a complex task, especially for firms that operate across multiple jurisdictions, but RegTech solutions have helped to ease the challenge.
Venky Yerrapotu, CEO and Co-Founder, 4CRisk.ai said, “RegTech has become table-stakes for organizations that need to harmonize compliance across privacy rules such as the EU’s GDPR, California’s CCPA, and Canada’s PIPEDA where incidents are exacerbated with the growing use of AI.”
The rising implementation of AI is an area where Yerrapotu sees a lot of friction with data protection rules. He added, “Privacy programs work on the principle of data minimization – where organizations should only collect data that is strictly necessary for a specific purpose. Yet we are experiencing a rapid growth in the use of AI models, which often need to be trained on massively large datasets to be truly effective. This is creating a design tension, where large language models explore new areas, with a broad purpose, by nature.”
What makes this an even greater challenge, Yerrapotu noted, is the lack of transparency in a lot of AI tools. There are still many AI tools that are not easily explainable and could have biases that violate privacy regulations.
Yerrapotu added, “Demonstrating compliance can get tricky, and we’ve seen hefty fines imposed on LinkedIn and Meta for not adequately protecting user data. The only way for organizations to be truly compliant is to ensure they are using small, specialized language models trained on a clean corpus that pulls from publicly available information and never uses private data for training.”
However, when AI has strict measures in place to minimise the chance for errors, it can be a truly powerful tool for compliance. RegTech solutions leveraging AI can streamline privacy programs in ways that would have seemed impossible just a few years ago, Yerrapotu noted.
For instance, an AI-powered RegTech solution can scan the horizon for rules, regulations and laws, and identify the ones that specifically apply to an organisation. It can then highlight the specific changes the teams would need to make to mitigate compliance risks. The technology can also harmonise requirements across various sources and read the intent of privacy regulations, transforming these elements into a common obligation for rulebooks.
Yerrapotu also pointed to capabilities that can map privacy obligations to an organisation’s policies and controls, and identify gaps in compliance. “This kind of AI-powered harmonization and rationalization can slash regulatory compliance and privacy team efforts dramatically, making them 50x more effective, but most importantly, freeing them to do the type of proactive and strategic analysis that simply wasn’t available a few years ago.”
Simplifying cross-border requirements
As mentioned, each country has its own data privacy rules. The lack of standardisation can make it difficult for firms with operations that span multiple jurisdictions. However, RegTech solutions can help to reduce this challenge.
Areg Nzsdejan, CEO and co-founder of Cardamon, believes that the way to simplify cross-border compliance is by automating a comparison between them. Nzsdejan said, “Simplifications come from extracting obligations and comparing them. This in essence is translating the rules into the language of the company that it applies to. Once the long list of applicable obligations are extracted, it’s a matter of finding the commonalities across them and – crucially – the differences. This will give a holistic view of where the company can have a unified approach across borders but also where it has to have a tailored view. This can be achieved with well-designed and complex systems leveraging the power of LLMs and agentic flows. Much like what Cardamon does.”
Yerrapotu also noted that RegTech platforms can streamline cross-border compliance by turning siloed, manual and reactive processes into automated, centralised and proactive ones. “Basically, organizations need to know, in real-time, what rules apply, and where. For example, if a transaction is spanning the USA and France, a RegTech platform can embed different sets of rules for checks in the platform, and if the rules change, automated updates can ensure the correct rules are followed.”
There are RegTech platforms available that can automatically identify, and tag data based on its origin, such as ‘Canadian citizen data’, and then enforce rules that align with the jurisdiction the data is held.
Streamlining audits for global firms
RegTech not only helps firms with simplifying regulatory updates but can also streamline audits. While these have traditionally been complex and resource-intensive, a RegTech solution can streamline the task by ensuring everything is organised, consistent and easy to access, across all locations.
Sean Devine, account executive at ViClarity, noted that RegTech can automate daily tasks and provide a clear audit trail that is up to date. He said, “Instead of pulling together spreadsheets and chasing different teams for evidence, firms can rely on a single platform that keeps all their risk controls, policies, breaches and regulatory updates in one place. That means when it’s time for an audit—whether internal or by a regulator like the CBI, FCA or European Banking Authority—they’re already prepared.
“It also helps standardise how compliance is managed across different offices and regions. By building the regulatory requirements into everyday processes, RegTech makes it easier for firms to prove they’re doing the right things—without it turning into a scramble every time an audit comes around.”
Yerrapotu also highlighted how RegTech is helping to transform audits. Over the past decade, many firms have moved to risk-based audits, leveraging information from audit-ready repositories. Through regulatory intelligence solutions, auditors can know what they need to look for and the scope. Automated systems can also ensure continuous control testing, while AI and predictive analytics can aid the auditor with analysing information at scale.
On a final note, Yerrapotu highlighted that RegTech can work at varying levels of detail. He said, “RegTech systems can work at a high level, but also at a low level of detail. For example, at a high level, a RegTech system focused on regulatory change management can automatically generate an applicability or impact analysis based on a broad range of changes facing an organization, and then leverage AI to map obligations to policies, procedures and controls that fall short.
“At a more detailed level, regulatory reports in specific formats required by different authorities can be generated as required, such as a Suspicious Activity Report (SAR) for the U.S. Financial Crimes Enforcement Network (FinCEN) and a different report for its UK equivalent. And at an even more refined level, regulatory intelligence systems can provide a detailed, immutable audit trail of every action taken by users or the AI on the platform—from a change to procedures to a data routing decision—with anomaly detection to determine where patterns may be emerging that put the organization at risk. This kind of automation makes it vastly simpler to demonstrate compliance for auditors and regulators.”
Helping the small business
Global data privacy is not just a challenge for large businesses. There are countless small firms that are operating across jurisdictions. Unlike their larger peers, they don’t always have the budget to have sizable compliance divisions to monitor rules and updates in each location.
Yerrapotu said, “We are seeing small and medium-sized businesses struggle to lower risk and stay compliant with privacy laws as the ecosystem gets more complex not only across geographies but also across technologies. It can be daunting for small teams.”
The best way for them to keep pace with change is through RegTech. Rather than relying on manual workloads, they should seek RegTech solutions that can meet privacy laws through a smart regulatory intelligence solution.
“Most small businesses know the basics – what PII do we collect, do we store it, do we share it, how do we protect it? But the real challenge is to leverage RAI-powered regulatory intelligence for high-value tasks where the risk is also high.”
While there are many RegTech solutions available in the market, it is not simply a case of picking any provider. The team needs to find the tools that are affordable, easy to implement and don’t require a dedicated IT team to manage. There are many RegTech cloud-based, subscription-based services that can provide small businesses with cheaper access to tools they need for cross-border compliance, Yerrapotu explained. However, this isn’t just for small businesses, these types of RegTech solutions can also be very useful for larger firms that want to start small and scale solutions after proven success.
Nzsdejan also highlighted the similarity between small and large firms for cross-border data privacy compliance. He said, “The approach should stay the same as for global firms – small businesses need the same support. The key to the approach is high tailorability. This means ensuring that the context is captured right at the beginning of the process with high accuracy – this will allow for better obligation extraction and subsequently internal rules mappings. One of our USPs at Cardamon’s is the ability to tailor our solutions to the company – we provide a highly customised service with an excellent user experience, both to global firms but also to smaller businesses.”
